Method and device for anonymous signature with a shared private key

ABSTRACT

A cryptographic method and apparatus for anonymously signing a message. Added to the anonymous signature is another signature which is calculated (operation  13 ) using a private key common to all the members of a group authorized to sign and unknown to all revoked members. The private key is updated (operations  8, 11 ) at group level on each revocation within the group and at member level only on anonymous signing of a message by the member.

FIELD OF THE INVENTION

The present invention relates to the field of telecommunications andmore particularly to securing transmissions, in particular for services,using cryptography.

DESCRIPTION OF THE PRIOR ART

Electronic signature mechanisms have been developed for authenticatingthe source of a document transmitted via telecommunications means. Itshould be noted that the term “transmission in electronic form” isroutinely used to refer to the transmission of a document viatelecommunications means. In the context of the invention, the documentsin question are necessarily in digital form, as opposed to paper form;the term “message” as used below in this application refers to this typeof document. The most widely used electronic signature mechanisms arebased on public key cryptographic techniques that rely on an entityknown as a trusted authority. The trusted authority usually generatescertificates on behalf of users of standard public key methods; thesecertificates establish a connection between a public key and theidentity of the proprietor of the key. To use this kind of method, thepersons signing messages must first obtain certification from thetrusted authority by communicating thereto at least their public keysand their identities. The method calculates an electronic signature fora message taking account of the content of the message and of theperson's private key. The signatory sends the message, the signature andthe certificate to the addressee of the message, who verifies theelectronic signature of the message using at least the public key andthe content of the message.

For some applications, such as electronic voting, electronic bidding oranonymous electronic payments, it is necessary to use an anonymouselectronic signature. An anonymous electronic signature has the samecharacteristics as an ordinary electronic signature except that theaddressee cannot determine the identity of the signatory, who remainsanonymous. However, the addressee is able to contact the trustedauthority, which is able to remove the anonymity by referring to thecertificate.

DESCRIPTION OF THE PRIOR ART

The anonymous group signature is one particular type of anonymoussignature. An anonymous group signature scheme enables each member of agroup to produce an electronic signature that is characteristic of thegroup. The addressee of a message accompanied by an anonymous groupsignature is able to verify that the signature was applied by one of themembers of the group but is not able to determine which of the membersof the group this was.

In the context of the invention, a group is a set of persons who declarethemselves to an authority as belonging to the same group. At the timeof this declaration, each person interacts with the trusted authorityusing a particular protocol, after which the person obtains a privatekey which is associated with a public key of the group previouslydetermined by the trusted authority, and the authority and the personobtain an identifier of the person associated with the private key.Below, in this application, each person is referred to as a member. Oneexample of a protocol of this kind is described in the paper by J.Camenisch and M. Michels “Efficient Group Signature Schemes For LargeGroups”, in B. Kaliski, editor, Advances In Cryptology—CRYPT097, Volume1296 of LNCS, pages 410 to 424, Springer-Verlag, 1997. The sameinteraction occurs upon the arrival of a new member. From the point ofview of the trusted authority, the existence of a group is reflected byassigning the group a group public key and assigning each member adifferent private key associated with the public key and an identifier.Using his or her own private key, a member is able to apply an anonymousgroup signature to a selected message. Any addressee is able to verifythat the signature was in fact applied by one of the members of thegroup, provided that the group public key was used. After verification,the addressee is certain either that the signature was applied by amember of the group or that it was not, as the case may be, but obtainsno information as to the identifier of that member, the signatorycommunicating his or her own identifier to the addressee only in a formencrypted by means of a public key of the trusted authority; thesignature is anonymous. However, the addressee may contact the trustedauthority, which is able to determine the identity of the signatory fromthe encrypted identifier accompanying the group anonymous signature.Thus the trusted authority is able to remove the anonymity at any time.

A group may evolve after it has been set up by the trusted authority. Afirst type of change is for new persons to become members of the group.A second type of change, referred to as revocation, is for members toleave the group or to be excluded from the group. Each time the groupchanges, the trusted authority is faced with the problem of assigning toor withdrawing from a member of the group the means for applying a groupanonymous signature. The first problem that arises relates to assigninga new member the means for applying a group anonymous signature, and issolved using one of the prior art public key/private key generationalgorithms that associate as many private keys as necessary with thesame public key. One example of this kind of algorithm is described inthe paper by J. Camenisch and M. Michels “Efficient Group SignatureSchemes For Large Groups”, in B. Kaliski, editor, Advances InCryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997.

The second problem that arises relates to withdrawing these means from aperson, and is solved by various prior art revocation methods.

A first of these methods is described in the paper by E. Bresson and J.Stern “Efficient Revocation In Group Signatures”, in K. Kim, editor,Public Key Cryptography—PKC 2001, Volume 1992 of LNCS, pages 190-206,Springer-Verlag, 2001. That method is based on the fact that each memberof a group has a personal identifier. Given that the signature mustremain anonymous, it is not possible to reveal this identifier. However,in this method, the identifier of the signatory is divided by that ofeach revoked member; the result of each division is different from 1 if,and only if, the signatory is not a revoked member. Using an encryptionalgorithm, each of the results of these divisions is then encrypted andthe encrypted result is sent to the addressee, accompanied by particularelements. The addressee uses the particular elements and the encryptedresults to verify that the divisions have been effected correctly andthat all the results are different from 1, which confirms that thesignature was applied by a non-revoked member.

Given that there are as many encrypted results and particular elementsas there are revoked members, this method has the drawback of generatinga group anonymous signature whose length and calculation time increasein proportion to the number of revoked members.

A second revocation method is described in the paper by H. J. Kim, J. I.Lim and D. H. Lee “Efficient And Secure Member Deletion In GroupSignature Schemes”, in D. Won, editor, Information Security AndCryptology—ICISC 2000, Volume 2015 of LNCS, pages 150 et seq.,Springer-Verlag, 2000. That method uses three keys in addition to thekeys necessary for a successful group signature scheme, namely anownership private key for each member, an ownership public key to enablemembers to verify the validity of their own keys, and a renewal publickey to enable members to modify their ownership private keys each timethat a member joins or leaves the group. The trusted authority modifiesthe ownership public key and the renewal key for each new member and foreach revocation of a member. The remaining members of the group modifytheir ownership private keys using the renewal key and verifies validityby using the ownership public key. To sign a message electronically,signatory members use their own ownership private keys. Thus theaddressee is able to verify the electronic signature using the ownershippublic key. That method has the drawback of being specific inapplication, in that it has proven to be secure only in a particulargroup signature scheme that corresponds to that described in the paperby J. Camenisch and M. Michels “A Group Signature Scheme With ImprovedEfficiency”, in K. Ohta and D. Pei, editors, Advances InCryptology—ASIACRYPT'98, Volume 1514 of LNCS, pages 160-174,Springer-Verlag, 1998. Furthermore, that method has the disadvantagethat it imposes calculations on each member each time that a memberjoins or leaves the group; these calculations may become frequent if thedynamics of the group are particularly intense.

One objective of the invention is to remove the drawbacks of theabove-described prior art methods.

SUMMARY OF THE INVENTION

To this end, the present invention provides a cryptographic method ofanonymously signing a message by a member of a group comprising nmembers each equipped with calculation means and associated storagemeans. The method comprises the following initial steps at the time ofconstituting the group:

-   -   a first step in which first calculation means of a trusted        authority calculate a pair of asymmetric keys common to the        members of the group and comprising a common public key and a        common private key,    -   a second step in which the first calculation means calculate a        group public key associated with the group,    -   a third step in which, for each member, during an interaction        between the calculation means of the trusted authority and the        calculation means of the member, a group private key is        calculated and stored in the storage means of the member, each        group private key being associated with the group public key and        being different for each member of the group,    -   a fourth step in which the first calculation means determine as        many symmetrical secret keys as there are members of the group,        and    -   a fifth step in which the first calculation means encrypt the        common private key using each of the secret keys to obtain as        many encrypted forms of the common private key as there are        non-revoked members.        The method further comprises the following steps on each        revocation within the group:    -   a sixth step in which the first calculation means modify the        pair of common asymmetric keys to determine a common public key        and a common private key that are up to date,    -   a seventh step in which the first calculation means encrypt the        common private key using each of the secret keys to obtain as        many encrypted forms of the common private key as there are        non-revoked members.        The method further comprises the following steps on the group        member anonymously signing a message having to be sent to an        addressee:    -   an eighth step in which the common private key stored by the        storage means of the member is updated only if one of the        encrypted values of the common private key may be decrypted        using the symmetrical secret key in the member's storage means,    -   a ninth step in which the member's calculation means calculate        an anonymous signature of the message using its group private        key, and    -   a tenth step in which the member's calculation means calculate        an additional signature of the combination comprising the        message and the anonymous signature using the member's common        private key.

The method of the invention adds to the anonymous signature a messageeffected by a member with an additional signature calculated using acopy, held by the member, of a signature private key that is exactly thesame for all the members authorized to sign and unknown to all revokedmembers. This common private key is updated by the trusted authorityeach time a member of the group is revoked. The copy held by a member isupdated only when the member signs a message anonymously, and thisupdating is possible only for a non-revoked member.

Thus a revoked member is always detected because the additionalsignature such a member provides is necessarily false, given that saidmember does not have the updated common private key.

According to another feature of the invention, the group is constitutedat a date t1 and the method further comprises the following operations:

-   -   during the first step, the first calculation means associate the        common private key with an update date equal to t1, and    -   during the third step, the storage means of each member store        the update date of the common private key,        the following operation is executed at the time of each        revocation within the group at a date t2:    -   during the sixth step, the first calculation means modify the        update date to determine an update date equal to the date t2,        and the following operation is executed on each anonymous        signing by the member of the group of a message having to be        sent to an addressee:    -   during the eighth step, the common private key stored in the        member's storage means is updated only if the update date in the        member's storage means is also different from the update date of        the common private key updated by the first calculation means.

According to another feature of the invention, the method furthercomprises the following operations:

-   -   during the third step the first calculation means calculate for        each member of the group an identifier of the member and the        identifier of each member is stored in the member's storage        means,        and the following operation on each revocation within the group:    -   the first calculation means calculate an identifier for each new        member of the group.

According to another feature of the invention, the steps furthercomprise the following operations:

-   -   during the third step, storage means connected to the first        calculation means store the symmetrical secret key of each        member, the pair of asymmetric keys common to the members of the        group, and the group public key,        and the following operation on each modification of the        composition of the group that corresponds to a revocation within        the group:    -   the secret key of the revoked member is removed from the storage        means connected to the first calculation means,        and the following operations to update the common private key        stored in the member's storage means:    -   the member's calculation means read the different encrypted        forms of the common private key stored in the storage means        connected to the first calculation means, and    -   the member's calculation means use the secret key in the        member's storage means to decrypt the different encrypted forms        of the common private key.

The invention also provides cryptographic apparatus for anonymouslysigning a digital message, which apparatus comprises:

-   -   first calculation means for calculating at least one pair of        asymmetric keys common to the members of the group of n members        and a group public key associated with the group, for        calculating a group private key for each member during        interaction with the member's calculation means, each group        private key being associated with the group public key and being        different for each member of the group, for determining as many        symmetrical secret keys as there are members of the group and        encrypting the common private key using each of the symmetrical        secret keys to obtain as many encrypted forms of the common        private key as there are non-revoked members.

According to another feature of the invention, the apparatus furthercomprises:

-   -   storage means connected to the first calculation means via a        communications network for storing at least an symmetrical        secret key of each member of the group, the group public key,        the public key common to the members of the group, and each of        the different encrypted forms of the common private key.

The invention further provides a smart card intended for a member of agroup of n members and adapted to interact with the above apparatus. Thecard comprises:

-   -   means for storing a private key common to the members of the        group, a group private key of the member, and a symmetrical        secret key assigned to the member,    -   means for updating the common private key stored in the member's        storage means to update the common private key only if one of        the encrypted values of the common private key calculated by the        first calculation means of the apparatus may be decrypted using        the symmetrical secret key in the member's storage means, and    -   calculation means for calculating an anonymous signature for a        message using its group private key and for calculating an        additional signature for the combination comprising the message        and the anonymous signature using the member's common private        key.

According to another feature of the invention, the updating means of thesmart card comprise decrypting means for decrypting one of the encryptedvalues of the common private key using the symmetrical secret key in themember's storage means. The encrypted values of the common private keyare previously calculated by the first calculation means of theapparatus.

BRIEF DESCRIPTION OF THE DRAWINGS

Other features and advantages of the invention will become apparent inthe course of the following description, which is given with referenceto the appended drawings showing particular embodiments by way ofnon-limiting example. In the figures:

FIG. 1 is a flowchart of a method of the invention.

FIG. 2 is a flowchart of a particular implementation of a method of theinvention.

FIG. 3 is a diagram of a particular embodiment of apparatus of theinvention.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

FIG. 1 is a flowchart of a cryptographic method of the invention forsigning a message anonymously. The method is intended to be used by anymember of a group comprising n members. Each member has calculationmeans associated with storage means. The steps of the method compriseinitial steps and other steps. The initial steps are executed during thecreation of the group and are described below.

A first step consists of first calculation means of a trusted authoritycalculating a pair of asymmetrical keys common to the members of thegroup (operation 1); this pair of keys comprises a common public key anda common private key. The algorithm used for the first step is a publickey signature algorithm and may be an RSA algorithm, named for itsauthors R. L. Rivet, A. Shamir and L. Adleman.

A second step consists in the first calculation means calculating agroup public key associated with the group (operation 2). Thecalculation is effected using a particular algorithm, which may be theone described in the paper by J. Camenisch and M. Michels “EfficientGroup Signature Schemes For Large Groups”, in B. Kaliski, editor,Advances In Cryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997.

A third step consists in calculating a group private key associated withthe group public key during interaction between the trusted authorityand each member of the group in turn, the group private key beingdifferent for each member of the group (operation 3). During thisinteraction, the group private key of the member is stored (operation 4)by the member's storage means; the trusted authority does not know thiskey. The calculation is effected using a particular algorithm, which maybe that described in the paper by J. Camenisch and M. Michels “EfficientGroup Signature Schemes For Large Groups”, in B. Kaliski, editor,Advances In Cryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997.

A fourth step consists in the first calculation means determining asmany symmetrical secret keys as there are group members (operation 5).This operation may consist in drawing digits and letters at random toform a key. In one variant, the symmetrical secret keys may conform to aparticular distribution. One such distribution is described in the paperby C. K. Wong, M. G. Gouda and S. S. Lam “Secure Group CommunicationsUsing Key Graph”—Technical Report TR-97-23, 28 Jul. 1997.

A fifth step consists in the first calculation means encrypting thecommon private key using each of the secret keys to obtain as manyencrypted forms of the common private key as there are non-revokedmembers (operation 6). This encryption is effected using an encryptionalgorithm such as the AES algorithm.

In the preceding variant, the symmetrical secret keys conform to aparticular distribution that allows encryption of the common private keyusing only some of the secret keys.

The composition of the group may be modified after it is constituted(operation 7). One such modification is a revocation within the group orthe entry of a new member into the group. The method comprises thefollowing steps on each revocation within the group and optionally oneach entry of a new member.

A sixth step consists in the first calculation means modifying the pairof common asymmetrical keys to determine a common public key and acommon private key for the up to date composition of the group(operation 8). This modification is typically effected using the samealgorithm as that used during the first step.

A seventh step consists in the first calculation means encrypting thecommon private key using each of the secret keys to obtain as manyencrypted forms of the common private key as there are non-revokedmembers (operation 9). This encryption is typically effected using thesame algorithm as that used in the fifth step.

A group member may sign a message at any time before sending it to anaddressee (operation 10). The method comprises the following steps eachtime a message is signed anonymously by a member.

An eighth step consists in updating the common private key stored by thestorage means of the member only if it is possible to decrypt one of theencrypted values of the common private key using the symmetrical secretkey in the storage means of the member (operation 11). This decryptionis effected using the same algorithm as that used in the seventh step,i.e. during encryption. The updating is effected if the decryptionalgorithm is able to decrypt one of the encrypted values of the commonprivate key.

A ninth step consists of the calculation means associated with themember's storage means calculating an anonymous signature of the messageusing his group private key (operation 12). The calculation is effectedusing an anonymous signature algorithm. One such algorithm is describedin the paper by J. Camenisch and M. Stadler “Efficient Group SignatureSchemes For Large Groups”, in B. Kaliski, editor, Advances InCryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997. Another description is given in the paper by J.Camenisch and M. Michels “A Group Signature Scheme With ImprovedEfficiency”, in K. Ohta and D. Pei, editors, Advances InCryptology—ASIACRYPT'98, Volume 1514 of LNCS, pages 160-174,Springer-Verlag, 1998.

A tenth step consists in the member's calculation means calculating anadditional signature of the combination of the message and the anonymoussignature using the member's common private key (operation 13). Thealgorithm used for the tenth step is a public key signature algorithmand may be the RSA algorithm.

FIG. 2 is a flowchart of one particular implementation of the method ofthe invention. Elements already described with reference to FIG. 1 arenot described again. Specific elements are described hereinafter.

The first step further consists in associating with the common privatekey an update date equal to t1, where t1 is the date the group isconstituted (operation 14).

The third step further consists in the storage means of each memberstoring the update date of the common private key (operation 15).

On each modification of the common private key at a date t2, during thesixth step, the method further consists in the first calculation meansmodifying the update date to determine an update date equal to the datet2 (operation 16).

On each anonymous signing by a group member of a message having to besent to an addressee, the eighth step consists in updating the commonprivate key in the member's storage means if the update date in themember's storage means is also different from the update date of thecommon private key updated by the first calculation means (operation17). On the other hand, if the date in the member's storage means isequal to the update date of the group private key that has been updated,there is no updating by the member's storage means.

The pair of common asymmetrical keys and the update date are not updatedby the first calculation means if there is no revocation of a member andno addition of a new member. Consequently, and advantageously, themember's calculation means do not update his common private key, usingthe common private key in the member's storage means to calculate theadditional signature.

FIG. 3 is a diagram of one embodiment of a system for implementing themethod of the invention.

The system comprises at least calculation means 20 and as many smartcards 21 ₁ as there are group members.

A trusted authority, such as a physical person, a moral person, or anational or international agency, maintains calculation means 20 thatare shown in FIG. 3 in the form of a server. The calculation means 20are connected by first communications means 22 to a communicationsnetwork 23 which may be a public network such as the Internet or aprivate network such as a local area network (LAN).

Each member of a group holds a smart card 21 ₁ whose microchip comprisesstorage means 24 and calculation means 25. Each member further holds orhas access to a reader 26 for that card connected by a secondcommunications link 27 to a computer, for example a personal computer28. The personal computer 28 is connected by a third communications link29 to the communications network 23.

The group is constituted by the trusted authority during interactionbetween the trusted authority and each member of the group. Before thisinteraction, the server 20 of the trusted authority calculates a pair ofasymmetric keys 30, 31 common to the members of the group and a grouppublic key associated with the group. During each interaction, theserver 20 of the trusted authority and the calculation means 25 of themember calculate a group private key 33 ₁. The group private key 33 ₁ isstored in the storage means 24 of the member's smart card. Afterinteracting with the trusted authority, the member holds a group privatekey that is specific to him and is different from the group private keysof all the other members. The pair of common asymmetric keys 30, 31comprises a common public key 30 and a common private key 31. This pair30, 31 may be associated with an update date D that is initialized tothe date t1 of calculation of the pair. The group private keys aredifferent for each member of the group and associated with the publickey 32 of the group.

During each interaction, the server 20 of the trusted authoritydetermines a symmetrical secret key 34 _(i) and then encrypts the commonprivate key 31 using each of the secret keys 34 _(i) to obtain as manyencrypted forms of the common private key 31 as there are non-revokedmembers.

During each interaction, the trusted authority's server 20 and themember's calculation means 25 generally also calculate an identifier 35_(i) of the member.

The smart card 21 ₁ stores in its storage means 24 the common privatekey 31, the member's group private key 33 ₁ and the secret key 34 ₁assigned to the member during the interaction between the trustedauthority and the member. The keys are transferred into the smart cardduring this interaction by standard methods.

The trusted authority retains a copy of the symmetrical secret key 34_(i) and the identifier 35 _(i) of each member in a memory space whichmay be a memory area of the server 20 or associated storage means 36.The public keys and the encrypted common private keys 31 are held in adirectory stored in a public portion of the memory space 20, 36; inother words it is directly accessible via the network 23, in particularto each group member and to each addressee of a message.

After the group has been constituted by the trusted authority, it maychange, on either the entry of a new member into the group or therevocation of a member of the group.

On each revocation within the group, the server 20 modifies the pair ofcommon asymmetric keys 30, 31 to determine a pair of asymmetric keys forthe up to date composition of the group. This updating is effected at adate referred to as the update date. It may also, where applicable, beeffected on entry of a new member into the group.

Following the determination of this up to date pair of common asymmetrickeys, the server 20 makes available in encrypted form the private key 31of this pair of asymmetric keys for each of the smart cards 21 ₁ of thenon-revoked members of the group. The server 20 calculates as manyencrypted forms as there are non-revoked members using the secret key 34_(i) personal to each member. Each time the group evolves, the server 20encrypts the private key 31 of the up to date pair of common asymmetrickeys 30, 31.

Each of the 34 _(i) personal secret keys entered as input arguments ofthe encryption algorithm corresponds to a result in the form of theencrypted value of the common private key 31 of the up to date pair ofasymmetric keys. The various results and, as a general rule, the updatedate, are stored in the directory.

When a group member wishes to sign a message stored in a personalcomputer 28, that member inserts a smart card 21 ₁ into the card reader26 connected to the computer 28. The calculation means 25 of the smartcard 21 ₁ connect to the memory space 20, 36 in which a directory isstored via the personal computer 28 and the network 23.

The smart card 21 ₁ reads the update date D of the common private key inthe directory. The calculation means 25 of the smart card 21 ₁ comparethis update date D with the date D₁ in its storage means 24. Eitherthese dates are different or they are identical.

If the dates are different, the smart card 21 ₁ may copy into itsstorage means 24 the various encrypted forms of the common private key31, for example. The calculation means 25 of the smart card 21 ₁ maythen decrypt each of the encrypted forms of the common private key 31using the decryption algorithm associated with the encryption algorithmpreviously used. The input arguments comprise the personal secret key 34₁ stored in the smart card 21 ₁ and the successive encrypted forms ofthe common private key 31. On the first correct decryption result, thesmart card 21 ₁ updates the common private key 31 in its storage means24 to the decrypted value of the encrypted common private key 31 andupdates the update date D₁ in its storage means 24 to the update date Dassociated with the decrypted value of the encrypted common private key31.

Another method places an identifier of the member concerned before eachencrypted form of the common private key 31. The calculation means 25 ofthe smart card 21 ₁ can then test each encrypted form of the commonprivate key 31 using the identifier. On reaching a valid test result, itdecrypts the encrypted form of the corresponding common private key 31using the decryption algorithm associated with the encryption algorithmpreviously used. The input arguments comprise the personal secret key 34₁ stored in the smart card 21 ₁ and the encrypted form of the commonprivate key 31. The smart card 21 ₁ updates the common private key 31 inits storage means 24 to the decrypted value of the encrypted commonprivate key 31 and updates the update date D₁ in its storage means 24 tothe update date D associated with the decrypted value of the encryptedcommon private key 31.

If the dates are identical, the smart card does not copy the encryptedforms of the common private key 31 into its storage means 24. Thissituation arises if the group has not evolved since the entry of themember into the group; the smart card 21 ₁ holds the most recentlyupdated common private key 31.

After this updating phase, the calculation means 25 of the smart card 21₁ recover the message stored in the computer 28. The calculation means25 of the smart card 21 ₁ calculate an anonymous signature for themessage using the signature algorithm. The input arguments comprise themessage and the group private key 33 ₁ in the memory means 24 of themicrochip.

After the above calculation, the calculation means 25 of the smart card21 ₁ use the previous signature algorithm to calculate an additionalsignature of the combination of the message and the anonymous signature.The input arguments comprise the combination of the message and theanonymous signature and the common private key 31 in the member'sstorage means.

Finally, the smart card 21 ₁ sends the additional signature, theanonymous signature and the message to the addressee chosen by themember.

The addressee is therefore able to verify that the member who signed themessage is a non-revoked member. To this end, the addressee verifieseach of the two signatures, namely the additional signature and theanonymous signature, using the common public key and the group publickey, respectively. For verification purposes, the addressee uses averification algorithm available on a personal computer 37, for example.The input arguments comprise the message and the common public key,respectively the group public key.

A first application of a method of the invention is to electronicvoting, which comprises two phases:

-   -   registration on an electoral list by an administrative        authority, and    -   voting using a ballot box connected via a communications network        to a voting administration server.

When registering, the elector obtains a group private key by means of amethod of the invention. In this embodiment of the method, the anonymoussignature that the elector may produce using the group private key isreferred to as “correlatable”. This means that, if the elector attemptsto sign a second voting slip anonymously by producing an anonymoussignature, the slip is rejected by the ballot box. Because the anonymoussignature is correlatable, the ballot box is able to verify that this isa second anonymous signature.

A malicious elector cannot claim that he has lost his group private keyand receive another one, and thus be in a position to vote twice. Amethod of the invention prohibits him from using the first group privatekey, as this group private key is updated when he declares that he haslost the first group private key. The loss of a group private key by amember is managed by a method of the invention in the same way asrevocation of the member.

A second application of a method of the invention is to electronicbidding. Bidding involves three protagonists, namely a server, a trustedauthority, and a client. All clients form a client group. A user wishingto subscribe to a client group must contact the trusted authority, whichsupplies that user with a personal group private key. The user thusobtains the right to produce a group anonymous signature. Using thisright, the user is able to sign bids anonymously. At the time of a bidfor a certain product, each member of the client group may bid bysigning a message containing in particular details of the product onsale and the amount of the bid. The bidding server is then able toverify that the bidder belongs to the group, and thus that the bid isvalid, by verifying the group anonymous signature. The winner is theperson submitting the highest bid prior to adjudication. The lastmessage received by the bidding server is therefore that from thewinner. The server then sends this message and the corresponding groupanonymous signature to the trusted authority, which alone is able toremove the anonymity and thus to determine the physical identity of thepurchaser of the product bid for.

Bidding involves dynamic groups as new persons may be registered withthe group every day and a member may leave the group or be excluded forfraud at any time. It is therefore essential to set up a revocationmechanism to prevent a revoked member using the revoked signaturefraudulently. A revoked member could continue to use the group privatekey to bid and thus corrupt the bidding process, for example by uppingthe bidding. If the revoked member is careful to withdraw from thebidding process soon enough to avoid making the winning bid, the fraudwill go undetected, since only the identity of the winner is finallyrevealed. A method of the invention solves the problem of revocation ofone or more members of the group.

A third application of a method of the invention is to electronicpayment. This involves four protagonists, namely a customer, a trader, abank, and a trusted authority. Customers must identify themselves to thesystem and obtain a group private key before being able to carry out afirst transaction. To make a payment, the customer must withdrawelectronic “cash” from his bank. Because of the use of a blind signaturescheme, the cash C the customer withdraws is anonymous. The cash C isspent in the following manner: the customer generates a group signatureapplying to the cash C and sends the combination of the signature andthe cash C to a trader. The trader verifies the signature of the bankattached to the cash C and verifies the group signature. If bothsignatures are valid, the trader accepts the transaction. At a giventime of day, the trader sends the signatures and cash received inpayment to the bank, for transfer to the trader's account. In the eventof fraud, for example use of the same cash in multiple transactions, thebank sends the group signature applying to the contested cash to thetrusted authority in order for it to identify and sanction the waywardcustomer.

A reliable mechanism for revoking group private keys that have beencompromised is necessary to prevent fraud of the following type: adishonest customer reports to the trusted authority the loss of his owngroup private key s and thereby absolves himself of any liability forfraud carried out using the key s. The customer hands his key over to anaccomplice, who is then able to use the key s to sign cash clegitimately withdrawn from the bank and then spend the cash as manytimes as he wishes. A method of the invention solves the problem ofrevoking group private keys.

1. A cryptographic method of anonymously signing a message by a memberof a group comprising n members each equipped with calculation means(25) and associated storage means (24), which method is characterized inthat it comprises the following initial steps at the time ofconstituting the group: a first step in which first calculation means ofa trusted authority calculate a pair of asymmetric keys (30, 31) commonto the members of the group and comprising a common public key (30) anda common private key (31) (operation 1), a second step in which thefirst calculation means calculate a group public key (32) associatedwith the group (operation 2), a third step in which, for each member,during an interaction between the calculation means of the trustedauthority and the calculation means of the member, a group private key(33 ₁) is calculated (operation 3) and stored (operation 4) in thestorage means (24) of the member, each group private key (33 ₁) beingassociated with the group public key (32) and being different for eachmember of the group, a fourth step in which the first calculation meansdetermine as many symmetrical secret keys (34 _(i)) as there are membersof the group (operation 5), and a fifth step in which the firstcalculation means (20) encrypt the common private key (31) using each ofthe secret keys (34 _(i)) to obtain as many encrypted forms of thecommon private key (31) as there are non-revoked members (operation 6),and in that it comprises the following steps on each revocation withinthe group: a sixth step in which the first calculation means (20) modifythe pair of common asymmetric keys (31) to determine a common public key(30) and a common private key (31) that are up to date (operation 8), aseventh step in which the first calculation means (20) encrypt thecommon private key (31) using each of the secret keys (34 _(i)) toobtain as many encrypted forms of the common private key (31) as thereare non-revoked members (operation 9), and in that the method comprisesthe following steps on the group member anonymously signing (operation10) a message having to be sent to an addressee: an eighth step in whichthe common private key (31) stored by the storage means (24) of themember is updated (operation 11) only if one of the encrypted values ofthe common private key (31) may be decrypted using the symmetricalsecret key (34 ₁) in the member's storage means (24), a ninth step inwhich the member's calculation means (25) calculate (operation 12) ananonymous signature of the message using its group private key (33 ₁),and a tenth step in which the member's calculation means (24) calculate(operation 13) an additional signature of the combination comprising themessage and the anonymous signature using the member's common privatekey (31).
 2. A cryptographic anonymous signature method according toclaim 1, wherein the group is constituted at a date t1 and furthercomprising the following operations: during the first step, the firstcalculation means associate the common private key (31) with an updatedate equal to t1 (operation 14), and during the third step, the storagemeans (24) of each member store the update date of the common privatekey (operation 15), wherein the following operation is executed at thetime of each revocation within the group at a date t2: during the sixthstep, the first calculation means (20) modify the update date todetermine an update date equal to the date t2 (operation 16), andwherein the following operation is executed on each anonymous signing bythe member of the group of a message having to be sent to an addressee:during the eighth step, the common private key stored in the member'sstorage means (24) is updated (operation 11) only if the update date(D₁) in the member's storage means (24) is also different from theupdate date (D) of the common private key (31) updated by the firstcalculation means.
 3. A cryptographic anonymous signature methodaccording to claim 1, further comprising the following operations:during the third step, the first calculation means calculate for eachmember of the group an identifier (35 _(i)) of the member (operation 3)and the identifier (35 _(i)) of each member is stored in the member'sstorage means (24) (operation 4), and the following operation on eachrevocation within the group: the first calculation means (20) calculatean identifier (35 _(i)) for each new member of the group.
 4. Acryptographic method according to claim 3 of anonymously signing amessage, wherein the steps further comprise: during the third step,storage means (36) connected to the first calculation means (20) storethe symmetrical secret key (34 _(i)) of each member, the group publickey (32), the public key (30) common to the members of the group, eachof the encrypted forms of the common private key (31), and each of theidentifiers (35 _(i)), each encrypted form of the common private key(31) being associated with one of the identifiers (35 _(i)), and furthercomprising the following operation for each modification of thecomposition of the group that corresponds to a revocation of one of themembers of the group: removing the secret key (34 _(i)) of that memberfrom the storage means (36) connected to the first calculation means(20), and further comprising the following operations to update thecommon private key (31) stored in the member's storage means (24): themember's calculation means (25) read the different encrypted form (31)of the common private key stored in the storage means (36) connected tothe first calculation means (20) and associated with the identifier (35_(i)) of the member, and the member's calculation means (25) decrypt thedifferent encrypted form of the common private key (31) previously readusing the secret key (34 _(i)) stored in the member's storage means(24).
 5. A cryptographic method according to claim 1 of anonymouslysigning a message, wherein the initial steps further comprise: duringthe third step, storage means (36) connected to the first calculationmeans (20) store the secret key of each member, the pair of asymmetrickeys (30, 31) common to the members of the group, and the group publickey (32), and further comprising the following operation on eachmodification of the composition of the group that corresponds to arevocation within the group: the secret key of the revoked member iseliminated from the storage means (36) connected to the firstcalculation means (20), and further comprising the following operationsto update the common private key (31) in a member's storage means (24):the member's calculation means (25) read the different encrypted formsof the common private key (31) in the storage means (36) connected tothe first calculation means (20), and the member's calculation means usethe secret key (34 ₁) in the member's storage means (24) to decrypt thedifferent encrypted forms of the common private key (31). 6.Cryptographic apparatus for anonymously signing a digital message,characterized in that it comprises: first calculation means (20) forcalculating (operations 1, 2) at least one pair of asymmetric keys (30,31) common to the members of the group of n members and a group publickey (32) associated with the group, for calculating (operation 3) agroup private key (33 ₁) for each member during interaction with themember's calculation means (25), each group private key (33 ₁) beingassociated with the group public key (32) and being different for eachmember of the group, for determining (operation 5) as many symmetricalsecret keys (34 _(i)) as there are members of the group and encrypting(operation 6) the common private key (31) using each of the symmetricalsecret keys (34 _(i)) to obtain as many encrypted forms of the commonprivate key (31) as there are non-revoked members.
 7. Cryptographicapparatus according to claim 6 for anonymously signing a digitalmessage, further comprising: storage means (36) connected to the firstcalculation means (20) via a communications network (23) for storing atleast an symmetrical secret key (34 _(i)) of each member of the group,the group public key (32), the public key (30) common to the members ofthe group, and each of the different encrypted forms of the commonprivate key (31).
 8. A smart card (21 ₁) intended for a member of agroup of n members and adapted to interact with apparatus according toeither claim 6 or claim 7, characterized in that it comprises: means(24) for storing a private key (31) common to the members of the group,a group private key (33 ₁) of the member, and a symmetrical secret key(34 ₁) assigned to the member, means (25) for updating the commonprivate key (31) stored in the member's storage means (34) to update(operation 11) the common private key (31) only if one of the encryptedvalues of the common private key (31) calculated by the firstcalculation means (20) of the apparatus may be decrypted using thesymmetrical secret key (34 ₁) in the member's storage means (24), andcalculation means (25) for calculating (operation 12) an anonymoussignature for a message using its group private key (33 ₁) and forcalculating (operation 13) an additional signature for the combinationcomprising the message and the anonymous signature using the member'scommon private key (31).
 9. A smart card (21 ₁) according to claim 8,wherein the updating means (25) comprises decrypting means fordecrypting one of the encrypted values of the common private key (31)calculated (operation 1) by the first calculation means (20) of theapparatus using the symmetrical secret key (34 ₁) in the member'sstorage means (24).
 10. A cryptographic system for anonymously signing adigital message by implementing a method according to claim 1,characterized in that it comprises at least: first calculation means(20) for calculating (operations 1, 2) at least one of said pair ofasymmetric keys (30, 31) common to the members of the group of n membersand said group public key (32) associated with the group, forcalculating (operation 3) said group private key (33 ₁) for each memberduring interaction with the member's calculation means (25), each saidgroup private key (33 ₁) being associated with said group public key(32) and being different for each member of the group, for determining(operation 5) as many of said symmetrical secret keys (34 _(i)) as thereare members of the group, and encrypting (operation 6) said commonprivate key (31) using each of said symmetrical secret keys (34 _(i)) toobtain as many encrypted forms of said common private key (31) as thereare non-revoked members; and as many smart cards (21 ₁) as there aremembers in the group, wherein each smart card comprises: means (24) forstoring said private key (31) common to the members of the group, saidgroup private key (33 ₁) of the member, and said symmetrical secret key(34 ₁) assigned to the member, means (25) for updating said commonprivate key (31) stored in the member's storage means (34) to update(operation 11) said common private key (31) only if one of the encryptedvalues of said common private key (31) calculated by said firstcalculation means (20) of the apparatus may be decrypted using saidsymmetrical secret key (34 ₁) in said member's storage means (24), andcalculation means (25) for calculating (operation 12) an anonymoussignature for a message using its said group private key (33 ₁) and forcalculating (operation 13) an additional signature for the combinationcomprising the message and the anonymous signature using the member'ssaid common private key (31).
 11. An article of manufacture for use in acomputer system, having a computer usable medium, to perform acryptographic method of anonymously signing a message by a member of agroup comprising n members each equipped with calculation means (25) andassociated storage means (24), wherein the computer usable mediumincludes a computer readable code means for causing: (i) at the time ofconstituting the group: calculating (operation 1), with a firstcalculation means of a trusted authority, a pair of asymmetric keys (30,31) common to the members of the group and comprising a common publickey (30) and a common private key (31), calculating (operation 2), withthe first calculation means, a group public key (32) associated with thegroup, calculating (operation 3), for each member, during an interactionbetween the calculation means of the trusted authority and thecalculation means of the member, a group private key (33 ₁), and storing(operation 4) said group private key (33 ₁) in the storage means (24) ofthe member, each group private key (33 ₁) being associated with thegroup public key (32) and being different for each member of the group,determining (operation 5), with the first calculation means, as manysymmetrical secret keys (34 _(i)) as there are members of the group, andencrypting (operation 6), with the first calculation means (20), thecommon private key (31) using each of the secret keys (34 _(i)) toobtain as many encrypted forms of the common private key (31) as thereare non-revoked members; (ii) on each revocation within the group:modifying (operation 8), with the first calculation means (20), the pairof common asymmetric keys (31) to determine a common public key (30) anda common private key (31) that are up to date, encrypting (operation 9),with the first calculation means (20), the common private key (31) usingeach of the secret keys (34 _(i)) to obtain as many encrypted forms ofthe common private key (31) as there are non-revoked members; and (iii)on the group member anonymously signing (operation 10) a message havingto be sent to an addressee: updating (operation 11) the common privatekey (31) stored by the storage means (24) of the member only if one ofthe encrypted values of the common private key (31) may be decryptedusing the symmetrical secret key (34 _(i)) in the member's storage means(24), calculating (operation 12), with the member's calculation means(25), an anonymous signature of the message using its group private key(33 ₁), and calculating (operation 13), with the member's calculationmeans (24), an additional signature of the combination comprising themessage and the anonymous signature using the member's common privatekey (31).